ID Theft Hits Patients TwiceTwo Criminal Cases Affect Sutter Health Patients
Two criminal cases in California that apparently both involve patient information stolen from Sutter Health illustrate that breaches involving identity theft can lead to continuing woes.
On Nov. 5, Santa Clara police arrested two women, Salina Soriano and Regina Kennedy, at an area hotel after responding to a report that the women had rented a room with a fraudulent credit card.
During a search of the hotel room, police found a large volume of stolen mail, as well as ledgers and notebooks containing personal information about more than 100 people, says Jennifer Deng, deputy district attorney for Santa Clara County, Calif., who is prosecuting the case.
Among those documents was a piece of paper with personal information on 35 women who investigators determined are patients of the breast cancer center at Alta Bates Summit Medical Center, a Sutter Health facility, Deng says. The information included patient names, addresses, workplace, dates of birth and Social Security numbers, Deng says. All of the patients were born the same year.
When police contacted the patients, more than a dozen said they had already reported being victims of ID fraud.
Soriano and Kennedy were arraigned on Nov. 8 and face felony identity theft charges, Deng says. Their next court hearing is Nov. 28. Both remain in custody in lieu of $165,000 bail. If convicted, they face eight years of incarceration.
Link to Earlier Breach
A Sutter Health spokeswoman tells Information Security Media Group that the 35 cancer patients whose names and other personal information were discovered in the Nov. 5 arrest were also among approximately the 4,500 patients whom Sutter contacted about an information breach back in June related to a drug raid by Alameda County police.
During that drug investigation, two individuals were arrested who had gathered personal ID information of patients from a number of Sutter healthcare facilities (see: Another Sutter Health Breach).
Sutter Health includes 24 hospitals, 27 ambulatory care facilities and a network of more than 5,000 physicians in Northern California.
Deng says stolen mail discovered during the arrest of Soriano and Kennedy was believed taken from mail boxes of area residents who might also be victims of ID fraud. "People should look carefully at their credit reports to watch for any new accounts or lines of credit opened in their names," she suggests.
Investigators have not yet determined how Soriano and Kennedy obtained the Sutter patient information, Deng says.
The U.S. Postal Service is aiding the ongoing investigation involving Soriano and Kennedy and is contacting other victims from Alameda and Santa Cruz counties, she says.
Before the drug raid in June that turned up the ID information on 4,500 of its patients, Sutter had taken a number of measures to bolster data security, the spokeswoman says.
That includes encrypting all mobile computing and storage devices, including laptops and flash drives, as well as desktop computers. Regarding the recent arrests of Soriano and Kennedy - neither of whom worked at Sutter - "We don't know where this [patient] list was taken from," she says.
Sutter has had several health data breaches in recent years. That includes an incident in October 2011, in which Sutter Health reported the theft from its Sutter Medical Foundation of an unencrypted desktop computer containing information 4.2 million patients (see: Computer Theft Affects 4.2 Million). That incident resulted in the filing of 11 class action lawsuits. Those suits were consolidated into one case, which is making its way through Sacramento County Superior Court.
In addition, Sutter Health reported a May 2011 breach at its Sutter Gould Medical Foundation in which lost paper records resulted in 1,920 patients being notified that their information was possibly compromised. That incident appears on the Department of Health and Human Services breach website that lists incidents involving 500 or more individuals.
ID Theft Prevention
Security expert Bob Chaput, founder of consulting firm Clearwater Compliance, says patients and healthcare providers can take steps to avoid becoming victims of ID theft and fraud.
For providers, those steps include:
- Doing background checks of employees, volunteers and contractors;
- Developing HIPAA-compliant procedures specific to the day-to-day operations of various workforce members;
- Providing training and follow-up security reminders about those procedures for all workers;
- Identifying databases, applications and systems containing protected health information and listing workforce members with access;
- Establishing and executing processes for initiating and terminating workers' access to PHI.
Chaput suggests patients consider these tips for better protecting their IDs:
- Do not share medical IDs with friends or family.
- Password protect any access to personal medical information, and do not share your passwords with friends or family.
- Request a copy of your medical history and review for accuracy and completeness.
- Promptly review explanations of benefits statements from insurers to ensure that they are accurate and complete.
- Immediately notify your health plan or provider if you spot any inaccurate or incomplete records in your medical history.